VoIP Security Alliance launched

Leading computer security and telecommunications companies have created a new body to raise awareness of threats to VoIP (voice over Internet Protocol) technology.

The VoIP Security Alliance will circulate VoIP security risks through discussion lists, white papers and research projects. It hopes to spur adoption of VoIP by promoting best practices, while warning companies of threats to VoIP, including spam and denial of service (DoS) attacks.

One goal of the group is clear up misconceptions about the technology - a fundamental one being that deploying VoIP is the same as deploying traditional data networks. "There's this idea that you don't need to do anything different after you install VoIP applications," explained Dave Endler, director of digital vaccine at TippingPoint.

However, VoIP introduces new requirements for IP networks, including a higher premium on quality of service so that voice conversations are intelligible, and on the privacy of voice data sent over the network, Endler said.

Deploying VoIP also raises the stakes for network outages, including DoS attacks, because organisations lose voice as well as network services in such attacks, he said. "Imagine not being able to dial 911 - or imagine a 911 call center (that uses VoIP) inundated with VoIP spam," Endler said.

The group will research and distribute information on VoIP vulnerabilities and promote VoIP security tools.

It is backing research into VoIP security tools, including a "fuzzer" for the SIP protocol. The tool will be able to test SIP for weaknesses and vulnerabilities that could lead to attacks, Endler said.

The group will also promote best practices for deploying VoIP, such as configuring VoIP gear and separating voice data from other data on so-called converged networks.

Membership to the VoIP Security Alliance is dominated by companies, but is open to individual researchers and university research groups, as well as VoIP enthusiasts who are experts in the technology, Endler said.

While many leading VoIP players have already joined, some major players, including Cisco and Juniper are not listed as members.

But Endler says the group can succeed even without the backing of major technology vendors by becoming a reliable source of information and advice on VoIP security issues. He likened the group to the Open Web Application Security Project, a volunteer group that produces tools, documentation and standards for Web application security.

Individuals interested in joining the VoIP Security Alliance or subscribing to a VoIP security discussion list can visit the group's website at www.voipsa.org.